
DESCRIPTION 



ELEVATOR CONTROLLER 



TECHNICAL FIELD 



The present invention relates to an elevator controller having a multiple redundancy 
configuration including a plurality of control systems. 



For example, in a multiple redundancy configuration in a safety controller for a 
railway disclosed in JP 2000-255431 A, a failsafe function can be ensured using a plurality of 
control systems to improve its reliability. Each of control systems carries out comparison 
between one's own system and other system using a common memory with respect to 
input/output results of a signal to/from an on-site device. When the result data disagree with 
each other, each of the control systems judges that a failure has occurred and causes running 
of trains on railways to stop. 

More specifically, for a certain input contact signal, input results in one's own system 
(hereinafter referred to as "a system A") and input results in other system (hereinafter referred 
to as "a system B") are compared with each other as follows. A controller of the system A 
reads out an input contact signal from an input unit of the system A and writes read-out results 
to the common memory. On the other hand, a controller of the system B, similarly, reads out 
an input contact signal from an input unit of the system B and writes read-out results to the 
common memory. 

The controller of the system A reads out, from the common memory, the results 
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which the controller of the system B has written, compares the results thus read out with its 
input results which have been read out from the input unit of the system A, and then carries 
out comparison with respect to input results between one's own system and other system. 

However, the related art involves the following problems. In the conventional 
multiple redundancy configuration, when obtaining the input results of other system, the 
controller of one's own system reads out other system read-out results which have been 
written to the common memory by the controller of other system. With such a configuration, 
a circuit configuration for realization of a multiple system becomes complicated. Moreover, 
the complexity of the circuit configuration results in that the data processing becomes 
complicated, and hence there arises a problem in that an operation speed becomes slow, or the 
read-out results are delayed. Furthermore, there is encountered a problem in that the system 
becomes expensive since a dedicated hardware is required. 

In addition, in the conventional multiple redundancy configuration, each of the 
control systems reads out a contact signal obtained through a relay circuit to carry out the 
comparison and the verification of an ON/OFF state of the contact signal. However, for 
example, when an encoder is used as signal detecting means, a signal which continuously 
changes its ON/OFF state is inputted to each of the control systems. As a result, there is 
encountered a problem in that each of the conventional control systems cannot carry out the 
comparison and the verification for counting results of such input signals. 

DISCLOSURE OF THE INVENTION 
The present invention has been made in order to solve the above-mentioned 
problems, and it is, therefore, an object of the present invention to obtain an elevator 
controller which is capable of readily carrying out comparison and verification through a 

2 



multiple system even for an input signal which continuously changes its ON/OFF state. 

An elevator controller according to the present invention includes: two or more 
control systems each having an arithmetic operation processing unit; external clock 
generating means for realizing synchronization of the arithmetic operation processing units of 
the control systems; and a common memory data of which can be mutually read out and 
written between the arithmetic operation processing units of the control systems, in which the 
arithmetic operation processing unit of each of the control systems, when taking in a pulse 
train signal used for elevator control as an input signal, takes in both a pulse train signal 
detected with detection means of one's own system and a pulse train signal detected with 

detection means of other system as input signals, and when a difference between counting 

) 

results of the number of pulses of the input signal in both the systems falls within a 
predetermined input signal allowable error range, executes an arithmetic operation processing 
required for the elevator control using the input signal from the detection means of a 
predetermined control system and writes arithmetic operation results to the common memory 
and reads out the arithmetic operation results in other system from the common memory to 
obtain a difference between the arithmetic operation results in one's own system and the 
arithmetic operation results in other system, and when the difference between those arithmetic 
operation results falls within a predetermined arithmetic operation result allowable error range, 
judges that the whole control systems are in a normal state and issues a control operation 
permission command for permitting a control operation for the elevator, while when the 
difference between both the input signals is beyond the input signal allowable error range, or 
when the difference between both the arithmetic operation results is beyond the arithmetic 
operation result allowable error range, the arithmetic operation processing unit of each of the 
control systems judges that any one of the control systems is in an abnormal state and issues a 
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control operation stop command for stopping the control operation for the elevator. 



BRIEF DESCRIPTION OF THE DRAWINGS 

FIG. 1 is a diagram showing a redundancy configuration of a control system of an 
elevator controller according to Embodiment 1 of the present invention; 

FIG. 2 is a flow chart showing a processing for carrying out judgment with respect to 
a normal state of the control system in the elevator controller according to Embodiment 1 of 
the present invention; 

FIG 3 is a diagram showing a redundancy configuration of a control system of an 
elevator controller according to Embodiment 2 of the present invention; and 

FIG 4 is a flow chart showing a processing for carrying out judgment with respect to 
a normal state of the control system in the elevator controller according to Embodiment 2 of 
the present invention. 

BEST MODE FOR CARRYING OUT THE INVENTION 
Embodiments of the present invention will hereinafter be described based on 
drawings. 
Embodiment 1 

In Embodiment 1 of the present invention, a description will be given with respect to 
a case where a control system able to control an operation of an elevator is constituted by two 
systems, i.e., a control system a and a control system b. 

FIG 1 is a diagram showing a redundancy configuration of a control system of an 
elevator controller according to Embodiment 1 of the present invention. Each of the control 
systems shown in FIG 1 has a schematic configuration in which only a microcomputer as an 
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arithmetic operation processing unit is described, and while not illustrated, has a ROM and a 
RAM as a storage portion. In addition, detectors (not shown) such as encoders are mounted 
to a shaft of a speed governor of an elevator in order to obtain position/speed information of a 
car of the elevator. In this embodiment, a case is supposed where signals each having a 
pulse train from the detectors are respectively inputted to input units la and lb corresponding 
to the respective control systems. Moreover, for the purpose of improving reliability, the 
detectors such as encoders are individually mounted to the respective control systems in order 
to detect the same signal with a plurality of detection means. 

Each of signals which have been supplied through the input units la and lb from the 
respective detectors is inputted to both of microcomputers 2a and 2b of the two systems. 
The microcomputers 2a and 2b are synchronized with each other by external clock generating 
means 3 provided commonly to the microcomputers, and each of the microcomputers 
executes an input processing and an arithmetic operation processing. The microcomputers 
2a and 2b have event counter registers (not shown) in order to count the numbers of pulses of 
the input signals each having a pulse train, respectively. 

A common memory 4 which is commonly provided as external storage means is 
connected to each of the microcomputers 2a and 2b of those two systems. The 
microcomputers 2a and 2b can read out and write data from and to the common memory 4 
through respective buses. With such a configuration, each of the microcomputers 2a and 2b 
can read out the arithmetic operation results in other system. 

The microcomputers 2a and 2b can judge based on the comparison and the judgment 
for the input signals to both the systems and the arithmetic operation results in both the 
systems whether or not each of the control systems a and b is in a normal state, i.e., whether 
or not the control system is in a normal state. Moreover, the microcomputers 2a and 2b 
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output signals related to their judgment results to photo-couplers 5a and 5b, respectively, 
thereby allowing ON and OFF states of relay coils 6a and 6b to be changed over to each other. 

A relay contact 7a of the relay coil 6a and a relay contact 7b of the relay coil 6b are 
inserted in series between a relay coil 8 and a control circuit line 9 of the relay coil 8. Here, 
the relay coils 6a and 6b and the relay contacts 7a and 7b correspond to a relay circuit portion. 

When even any one of the relay contacts 7a and 7b becomes the OFF state, the 
excitation for the relay coil 8 is cut off. Accordingly, while not illustrated, for example, a 
relay contact of the relay coil 8 is inserted into a circuit for cutting off a motor brake power 
supply for the elevator, whereby a motor can be braked based on outputs from the 
microcomputers 2a and 2b. 

Next, an operation will be described in detail with reference to FIG 2. FIG 2 is a 
flow chart showing a processing for carrying out judgment with respect to a normal state of 
the control system in the elevator controller according to Embodiment 1 of the present 
invention. Suffixes a and b added to corresponding step numbers represent the control 
system a and the control system b, respectively, and both the control systems a and b are 
identical in basic processing to each other. Then, a description will be mainly given with 
respect to a case where it is judged for the control system a whether or not the control system 
is in a normal state. 

The microcomputer 2a of the control system a takes in an input signal INa from one 
encoder mounted to the shaft of the speed governor of the elevator through the input unit la. 
At the same time, the microcomputer 2a of the control system a further takes in an input 
signal INb from the other encoder mounted to the shaft of the speed governor of the elevator 
through the input unit lb (S201a). 

The microcomputer 2a executes a processing for counting the numbers of pulses of 
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the respective input signals INa and INb using the corresponding event counter register 
(S202a). Moreover, the microcomputer 2a reads out the count value from the corresponding 
event counter register with a constant arithmetic operation period synchronously with the 
clock signal from the external clock generating means 3. 

The microcomputer 2a compares the count values with respect to the input signals 
INa and INb which have been read out from the respective event counter registers with each 
other. More specifically, the microcomputer 2a obtains a difference value between both the 
count values to judge whether or not the difference value falls within a predetermined input 
signal allowable error range (S203a). 

When the difference value falls within the predetermined input signal allowable error 
range, the microcomputer 2a adopts the count value based on the input signal INa as a master 
and executes a processing for arithmetically operating position data and speed data (S204a). 
Here, which of the count values related to the input signals INa and INb is adopted as the 
master is previously determined as a rule for the processing judgment commonly to all the 
microcomputers. 

In Embodiment 1, this situation corresponds to that the rule is previously determined 
in which the count value related to the input signal INa is adopted as the master. Moreover, 
in the control system b as well, the same processing as that in the control system a is executed. 
That is, when the difference value falls within the input signal allowable error range (S203b), 
the microcomputer 2b adopts the count value based on the input signal INa as the master, too, 
and executes the processing for arithmetically operating the position data and the speed data 
(S204b). 

Moreover, the microcomputer 2a writes the resultant arithmetic operation results to 
the common memory 4 (S205a). Likewise, the microcomputer 2b writes the resultant 
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arithmetic operation results to the common memory 4 (S205b), too. Next, the 
microcomputer 2a reads out from the common memory 4 the arithmetic operation results for 
the control system b which have been written by the microcomputer 2b (S206a). 

The microcomputer 2a compares the arithmetic operation results for the control 
system a calculated by itself with the arithmetic operation results for the control system b 
calculated by the microcomputer 2b. More specifically, the microcomputer 2a obtains a 
difference value between both the arithmetic operation results to judge whether or not the 
difference value falls within a predetermined arithmetic operation result allowable error range 
(S207a). 

When the difference value falls within the predetermined arithmetic operation result 
allowable error range, the microcomputer 2a judges that both the control systems a and b are 
in a normal state, i.e., the whole control system is in a normal state. Then, the 
microcomputer 2a issues a control operation permission command to the photo-coupler 5a so 
that the elevator can normally run (S208a). Thereafter, the operation of the microcomputer 
2a proceeds to the operation in a next arithmetic operation period. As a result, the relay coil 
6a is excited and hence the relay contact 7a becomes an ON state. The relay contact 7a is 
held in the ON state as long as the state continues in which the control system is judged to be 
in the normal state. 

On the other hand, when the judgment results show that the difference value between 
both the input signals is beyond the input signal allowable error range (S203a), or when the 
judgment results show that the difference value between both the arithmetic operation results 
is beyond the arithmetic operation result allowable error range (S207a), the microcomputer 2a 
judges that the control system is not in the normal state. Moreover, the microcomputer 2a 
issues a control operation stop command to the photo-coupler 5a in order to stop the elevator 
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(S209a). As a result, the excitation for the relay coil 6a is cut off, and hence the relay 
contact 7a becomes an OFF state. 

Likewise, when the microcomputer 2b issues a control operation stop command to 
the photo-coupler 5b (S209b), the excitation of the relay coil 6b is cut off, and hence the relay 
contact 7b becomes an OFF state. Even any one of the relay contact 7a or the relay contact 
7b becomes the OFF state, thereby cutting off the excitation for the relay coil 8. As a result, 
the motor brake power supply of the elevator is cut off in conjunction with the issue of the 
control operation stop command from the microcomputer 2a or the microcomputer 2b. 

According to Embodiment 1, a plurality of microcomputers can individually judge 
the normal state of the control system, and hence can readily configure the multiple 
redundancy configuration. Each of a plurality of microcomputers judges whether or not the 
comparison results related to the input signals are beyond the input signal allowable error 
range, or whether or not the comparison results related to the arithmetic operation results are 
beyond the arithmetic operation result allowable error range. Also, each of a plurality of 
microcomputers issues the control operation stop command based on its judgment results to 
cut off the motor brake of the elevator, thereby allowing the elevator to stop. 

Moreover, the elevator controller according to Embodiment 1 adopts the simple 
hardware configuration having the external clock and the common memory which are 
common to a plurality of microcomputers. Hence, there is no need to use the expensive 
dedicated hardware such as Application Specific Integrated Circuits (ASIC), or a Field 
Programmable Gate Array (FPGA). Furthermore, with this configuration, for the input 
signals as well having a pulse train and continuously changing its ON/OFF state, the 
comparison and the verification can be readily carried out through the multiple system, and in 
addition thereto, for the arithmetic operation results as well, the comparison and the 
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verification can be readily carried out through the multiple system. As a result, it is possible 
to obtain the inexpensive elevator controller having the high reliability. 
Embodiment 2 

In Embodiment 2 of the present invention, a description will be given with respect to 
a configuration in which the judgment for a normal state of a control system is more strictly 
carried out. FIG. 3 is a diagram showing a redundancy configuration of a control system of 
an elevator controller according to Embodiment 2 of the present invention. In comparison 
with FIG. 1, a point of difference from Embodiment 1 resides in that the control system of the 
elevator controller further includes an output unit 10 for generalizing command outputs from 
a plurality of microcomputers, and feedback relay contacts 11a and lib through which data 
related to operation states of relay coils is fed back to the microcomputers, respectively. 

The output unit 10 takes in command outputs which have been supplied from the 
microcomputers 2a and 2b, respectively, and issues the same generalization commamd to each 
of the photo-couplers 5a and 5b based on states of both the commands. In addition, each of 
the feedback relay contacts 11a and lib becomes an OFF state by the excitation for the relay 
coils 6a and 6b based on the logic opposite to that in the relay contacts 7a and 7b each of 
which becomes an ON state by the excitation for the relay coils 6a and 6b. The data related 
to the states of the feedback relay contacts 11a and lib is written to the microcomputers 2a 
and 2b, respectively. Here, the relay coils 6a and 6b, the relay contacts 7a and 7b, and the 
feedback relay contacts 11a and lib correspond to a relay circuit portion. 

The details of the output unit 10, and the feedback relay contacts 11a and lib will be 
described with reference to FIG 4. FIG 4 is a flow chart showing a processing for carrying 
out the judgment with respect to the normal state of the control system in the elevator 
controller according to Embodiment 2 of the present invention. Suffixes a and b added to 
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corresponding step numbers represent the control systems a and b, respectively, and both the 
control systems a and b are identical in basic processing to each other. Then, a description 
will be mainly given with respect to a case where the normal state of the control system is 
judged in the control system a. 

In addition, processings until the microcomputers 2a and 2b issue the control 
operation permission commands or the control operation stop commands are completely the 
same as those in the flow chart shown in FIG 2. Then, portions used in FIG 4 are described 
as "a portion A" and "a portion B" in FIG 2, and the portions for executing the same 
processings as those in FIG 2 are described as "a portion A" and "a portion B" in FIG 4, and 
their descriptions are omitted. Processings, after those processings, based on command 
outputs issued from the microcomputers 2a and 2b, respectively, will hereinafter be described 
with reference to FIG 4. 

The output unit 10 takes in command outputs issued from the microcomputers 2a and 
2b, respectively, (S401) to judge whether or not logics of both the command outputs are 
identical to each other (S402). That is, when the logic of the control operation permission 
command is assigned 1, and the logic of the control operation stop command is assigned 0, it 
is judged whether or not the logics of both the command outputs agree with each other. 
When the judgment results show that the logics of both the command outputs agree with each 
other, the output unit 10 outputs the agreed command output as the generalization command 
output to each of the photo-couplers 5a and 5b (S403). 

On the other hand, when the logics of both the command outputs disagree with each 
other (S402), the output unit 10 outputs the stop command output as the generalization 
command output to each of the photo-couplers 5a and 5b (S404). That is, if at least one of 
the command outputs issued from the respective microcomputers 2a and 2b is the control 



operation stop command, the output unit 10 issues the control operation stop generalization 
command to each of the photo-couplers 5a and 5b. Moreover, only when both the command 
outputs issued from the microcomputers 2a and 2b are the control operation permission 
commands, the output unit 10 outputs the control operation permission generalization 
command to each of the photo-couplers 5a and 5b. 

The relay coils 6a and 6b operate in accordance with the control operation 
permission generalization command or the control operation stop generalization command 
issued from the output unit 10 (S405). That is, when the control operation permission 
generalization command is issued from the control unit 10, each of the relay coils 6a and 6b 
becomes an excitation state, while when the control operation stop generalization command is 
issued from the control unit 10, each of the relay coils 6a and 6b becomes a non-excitation 
state. 

As described in Embodiment 1, the relay contacts 7a and 7b are contacts which 
become an ON state by exciting the relay coils 6a and 6b, respectively. From a logic 
opposite to that for the relay contacts 7a and 7b, the feedback relay contacts 11a and lib in 
Embodiment 2 are contacts which become an OFF state by exciting the relay coils 6a and 6b, 
respectively. 

The microcomputer 2a can detect the ON/OFF state of the relay coil 6a by reading 
out data related to the state of the feedback relay 11a (S406a). Moreover, the microcomputer 
2a judges whether or not the read-out state of the feedback relay contact agrees with the state 
of the command issued to the output unit 10 (S407a). 

When the judgment results show that both the states agree with each other (S407a), 
the microcomputer 2a judges that the normal state of the control system is ensured. 
Thereafter, the operation of the microcomputer 2a proceeds to a next arithmetic operation 

12 



period. On the other hand, when the judgment results show that both the states disagree with 
each other (S407a), the microcomputer 2a judges that the normal state of the control system is 
not ensured. Then, in order to stop the car, the microcomputer 2a transmits an abnormality 
signal for instructing the elevator control CPU to brake the car using means for 
communication with a CPU of the elevator control substrate (S408a). 

Note that in the description of Embodiment 2 described above with reference to the 
flow chart of FIG 4, the description has been given with respect to the case where the 
judgment results show the disagreement in the step number, S407a, the microcomputer 2a 
immediately communicates the abnormality signal to the elevator control CPU. However, it 
is also conceivable that before the microcomputer 2a immediately transmits the abnormality 
signal, the microcomputer 2a issues a control operation stop command to the output unit 10. 
That is, it is tried that the excitation for the relay coil 8 adapted to cut off the motor brake 
power supply of the elevator is cut off in accordance with the control operation stop command 
issued from the microcomputer 2a, thereby stopping the elevator. 

In this connection, the microcomputer 2a issues the control operation stop command, 
and also reads out the signal of the feedback relay contact 11a. Next, the microcomputer 2a 
judges whether or not the signal from the feedback relay contact 11a is properly detected as 
being in the ON state in correspondence to the output of the control operation stop command. 
Then, when the judgment results show that the signal from the feedback relay contact 11a is 
in the OFF state, i.e., a malfunction occurs, similarly to the processing in the former step 
number, S408a, in order to stop the car, the microcomputer 2a transmits a signal for 
instructing the elevator control CPU to brake the car using the means for communication with 
the CPU of the elevator control substrate. 

According to Embodiment 2, the consistency of the control commands issued from a 
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plurality of microcomputers can be more strictly checked by utilizing the output unit and the 
feedback relay contacts. Moreover, the hardware configuration can be sufficiently realized 
by using a general-purpose device and the like, and hence is inexpensive in terms of the cost. 
As a result, it is possible to obtain the inexpensive elevator controller having the high 
reliability. 

As set forth hereinabove, according to the present invention, there is adopted the 
simple hardware configuration having the external clock and the common memory which are 
common to a plurality of microcomputers, whereby for the input signal as well having the 
pulse train and continuously changing its ON/OFF state, the comparison and the verification 
can be readily carried out through the multiple system, and it is possible to obtain the 
inexpensive elevator controller having the high reliability. 

Note that only while the car is stopped, the microcomputer 2a can verify the 
operation of the feedback relay contact 11a. While the car is stopped, even when the 
ON/OFF operation of the relay coil 8 adapted to cut off the motor brake power supply of the 
elevator is carried out, there is no hindrance to the operation. Then, the microcomputer 2a 
outputs the control operation permission command or the control operation stop command as 
a dummy signal for verification of the operation and reads out data related to the state 
corresponding to this output from the feedback relay contact 11a, thereby allowing the 
operation of the feedback relay contact 1 la to be verified. 

In addition, in Embodiment 2, the configuration has been described in which the 
output unit and the feedback relay contacts are added to the elevator controller of 
Embodiment 1. However, it is possible to adopt a configuration in which only the output 
unit or only the feedback relay contacts is added to the elevator controller of Embodiment 1. 

In addition, in Embodiments 1 and 2, the case has been described where the input 
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signals each having the pulse train from the respective encoders are compared with each other 
based on the allowable error. However, the agreement/disagreement of the input signals 
used to detect the ON/OFF state can also be simply judged through the comparison. 

Also, in FIGS. 1 and 2, a safety relay unit can be used as the relay coils 6a and 6b, 
the relay contacts 7a and 7b, and the feedback relay contacts 11a and lib. The safety unit 
has a function of operating so as to cut off a power supply reliably when the abnormality has 
occurred, and of not recovering an original state unless a cause of the abnormality is removed. 
As a result, it is possible to realize the more reliable elevator controller. 
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